I created a private key with GnuTLS certtool and had it signed by StartSSL. When I try to use the signed certificate all connections to courier (smtp or imap) fail with Decrypt errors. The log file has lines like "imapd-ssl: Decrypt error" and "esmtpd-ssl: Decrypt error"
Tested with GnuTLS 3.2.13 and 3.3.1 and courier-0.71. The private key was generated as such: # certtool --generate-privkey --rsa --pkcs8 --pkcs-cipher aes-256 --bits 4096 --outfile server-privkey.pk8 # certtool --generate-request --load-privkey server-privkey.pk8 --template template.cfg --hash SHA512 --outfile server-privkey.csr The resulting .csr certificate request was successfully accepted by StartSSL.com control panel and a new signed certificate in PEM format was generated. in /etc/courier/imapd-ssl I have: TLS_CERTFILE=/usr/share/courier/domain.com.pem I have added certificate first then the private (decrypted) key in the domain.com.pem file. and vice versa. But it doesn't seem to work. Are there any limitations to the type of hash or other features of the certificates that are supported by courier? The following two matches: # openssl req -noout -modulus -in server-privkey.csr | openssl md5 # openssl x509 -noout -modulus -in startcom-server.crt | openssl md5 Should I put something else inside the TLS_CERTFILE ? Is the order of the key, cert, intermediary CA and root CA important in the PEM file? Regards, ~A ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
